kazuho

Keybase proof

I hereby claim:

• I am kazuho on github.
• I am kazuho (https://keybase.io/kazuho) on keybase.
• I have a public key ASAmVek0sSMqTlxwht0ZFkBBQmfHQh54kFN_qlidHhFsVQo

To claim this, I am signing this object:

kazuho

struct on_connect_body_t {
    enum { none, vec, streaming };
    union {
        h2o_iovec_t vec;
        struct {
            h2o_iovec_t first;
            h2o_httpclient_proceed_req_cb *proceed;
            size_t content_length;
        } streaming;
    };

kazuho

/*
 * prints something like:
 * sysname: Darwin
 * release: 16.7.0
 * version: Darwin Kernel Version 16.7.0: Wed Feb 27 00:29:57 PST 2019; root:xnu-3789.73.43~1/RELEASE_X86_64
 * machine: x86_64
 */
#include <stdio.h>
#include <sys/utsname.h>

kazuho

num-threads: 1
listen:
  port: 8080
hosts:
  default:
    listen:
      port: 8443
      ssl:
        certificate-file: examples/h2o/server.crt
        key-file: examples/h2o/server.key

kazuho

{"type":"accept", "conn":0, "time":1533649557458, "desc":"b263412c5ff28411"}
{"type":"crypto-decrypt", "pn":0, "len":356}
{"type":"stream-receive", "stream-id":-1, "off":0, "len":352}
{"type":"crypto-update-secret", "is-enc":1, "epoch":2}
{"type":"crypto-update-secret", "is-enc":0, "epoch":2}
{"type":"crypto-update-secret", "is-enc":1, "epoch":3}
{"type":"crypto-handshake", "tls-error":0}
{"type":"receive", "conn":0, "time":1533649557460, "len":887, "first-octet":252, "desc":"b263412c5ff28411"}
{"type":"send", "conn":0, "time":1533649557460, "desc":""}
{"type":"packet-prepare", "first-octet":255}

kazuho

Why you need a prefix for ESNI

Background

Some CDNs allow their customers to bring in their own DNS. Some do not provide DNS service at all, requiring every customer to bring in their own DNS.

The customer's DNS will have a zone definition like the following:

kazuho

$ build/openssl110/cli esni.examp1e.net 4433    <-- the adddress with _esni record
hello world
server-name: esni.examp1e.net
esni: yes
$ build/openssl110/cli examp1e.net 4433         <-- same address without _esni record
hello world
server-name: examp1e.net
esni: no

kazuho

static int save_client_hello(ptls_on_client_hello_t *self, ptls_t *tls, ptls_iovec_t server_name, const ptls_iovec_t *protocols,
                             size_t num_protocols, const uint16_t *signature_algorithms, size_t num_signature_algorithms)
{
    ptls_set_server_name(tls, (const char *)server_name.base, server_name.len);
#if 0 // you might want to save ALPN as well
    ptls_set_negotiated_protocol(tls, (const char *)protocols[0].base, protocols[0].len);
#endif
    return 0;
}

kazuho

$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

kazuho

static int qhkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, const void *secret, const char *label)
{
    ptls_buffer_t hkdf_label;
    uint8_t hkdf_label_buf[16];
    int ret;

    ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf));

    ptls_buffer_push16(&hkdf_label, (uint16_t)outlen);
    ptls_buffer_push_block(&hkdf_label, 1, {